Efficient security association establishment negotiation technique

ABSTRACT

A Security Association establishment negotiation technique includes forwarding identifying information from a Mobile Node via a first interface to a first network element. Negotiations are then initiated between the first network element and a second network element serving as a proxy for the Mobile Node via a second interface to establish a Security Association between the Mobile Node and the first network element, the second network element utilizing previously stored Security Association parameters of the Mobile Node. Upon agreement between the first network element and the second network element with regard to the Security Association parameters, the first network element forwards the agreed-upon Security Association parameters to the Mobile Node via the first interface. The first network element may include a Home Agent, a Correspondent Node or a Agent, and the first interface may include a wireless interface to forward information between the Mobile Node and the first network element. The first network element may also include a first gateway connected to it. The first gateway may include a AAA (Authentication, Authorization, and Accounting) server. The second network element may include a second gateway and an Subscriber database/Authentication Center, and the second gateway may be connected to the Subscriber database/Authentication Center. The second gateway may also include a AAA server.

FIELD

The present invention relates to wireless terminals and moreparticularly to a technique for efficiently negotiating securityassociations establishment between a Mobile Node connected to thewireless terminal and different network entities.

BACKGROUND OF THE INVENTION

In wireless networks, such as cellular networks, Mobile Nodes such ascellular telephones must establish security associations with differentnetwork entities. Establishing a Security Association between a MobileNode and a network entity means deciding a set of parameters describingthe Security Association. In particular, it may mean deciding whatsecurity algorithms, such as encryption, integrity protection,authentication and key derivation algorithms, are to be used forcommunications over the wireless interface. It may also mean decidinghow these algorithms are to be used and in what cases, what keys are tobe used with the algorithms, how additional keys to be used in theSecurity Association are to be derived, the lifetime of the SecurityAssociation and of the keys established in the Security Association.

For example, in future cellular networks, the Mobile Node will have todynamically establish security associations with various differentnetwork entities.

The following describes a list of security associations that a MobileNode may need to establish with an entity; but this list is provided toillustrate the current application. This latter is not restricted to thefollowing scenarios.

The Mobile Node and the serving system must agree on the aspects of aSecurity Association mentioned above for communications over thewireless interface with a network entity.

If the network is a mobile IPv4 (Internet Protocol) based cellularnetwork, the Mobile Node and the Foreign Agent may have to establish aSecurity Association.

If the network is a mobile IP (Internet Protocol) based cellularnetwork, and the Home Agent is dynamically assigned, then the MobileNode and the assigned Home Agent must set up a Security Association.Furthermore, if the network is a mobile IP based cellular network, thenthe Mobile Node and the Corresponding Node may also have to set up sucha Security Association in order to use Route Optimizations.

If a Localized Mobility Management scheme such as MIPv6RR (Mobile lpv6Regional Registration) or HMIPv6 (Hierarchical Mobile lpv6) is used, theMobile Node and the Agents in the visited domain must share a SecurityAssociation. Thus, as noted above, there are many cases in which theMobile Node needs to set up a Security Association with one or moreNetwork Entities in the visited domain. In order to setup such aSecurity Association, the Mobile Node needs to indicate to the NetworkEntities the list of parameters describing the Security Associationmentioned above that it supports.

The messages sent by the Mobile Node containing the above notedinformation can be long since the Mobile Node must define thecapabilities it supports and must send some specific proposals to theNetwork Entities. The Mobile Node and the Network Entities may sometimesexchange many messages before agreeing on specific parameters of theSecurity Association as described above. Accordingly, the negotiationsneeded to set up the Security Associations are extensive and thereforenot efficient for cellular networks or other wireless networks where theradio resources are limited and expensive.

SUMMARY OF THE INVENTION

In the efficient security association establishment negotiationtechnique of the present invention, negotiations over the wireless linkbetween the Mobile Node and a Network Entity are avoided to conservelimited radio resources. This is achieved by having a negotiationbetween such a Network Entity and a network element in the homedomain/network acting as a proxy on behalf of the Mobile Node in theestablishment of a Security Association between the Mobile Node and aNetwork Entity.

A security association establishment negotiation technique in accordancewith the present invention includes forwarding identifying informationfrom a Mobile Node via a first interface to a first network element.Negotiations are then initiated between the first network element and asecond network element acting as a proxy for the Mobile Node via asecond interface to establish a security association between the MobileNode and the first network element, the second network element utilizingpreviously stored Security Association parameters and preferences of theMobile Node. Upon agreement between the first network element and thesecond network element with regard to the Security Associationparameters, the first network element forwards the agreed-upon SecurityAssociation parameters to the Mobile Node via the first interface.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and a better understanding of the present invention willbecome apparent from the following detailed description of exampleembodiments and the claims when read in connection with the accompanyingdrawings, all forming a part of the disclosure of this invention. Whilethe foregoing and following written and illustrated disclosure focuseson disclosing example embodiments of the invention, it should be clearlyunderstood that the same is by way of illustration and example only andthe invention is not limited thereto. This spirit and scope of thepresent invention are limited only by the terms of the appended claims.

The following represents brief descriptions of the drawings, wherein:

FIG. 1 illustrates an example of a Security Association establishmentbetween a Mobile Node and an Agent in accordance with the presentinvention.

FIG. 2 illustrates an example of an environment in which the techniquein accordance with the present invention may be used.

FIG. 3 illustrates an example of a negotiation to establish a SecurityAssociation in accordance with the present invention.

FIG. 4 illustrates another example of a negotiation to establish aSecurity Association in accordance with the present invention.

DETAILED DESCRIPTION

Before beginning a detailed description of the subject invention,mention of the following is in order. When appropriate, like referencenumerals and characters may be used to designate identical,corresponding, or similar components in differing drawing figures.Further, in the detailed description to follow, examplesizes/models/values/ranges may be given, although the present inventionis not limited thereto. Lastly, the details of various elements whichare defined by currently used industry standards have not been includedfor simplicity of illustration and discussion as so as not to obscurethe invention. However, where known, these standards will be cited inthe specification and are incorporated by reference herein in theirentirety.

FIG. 1 illustrates an example of a Security Association establishmentbetween a Mobile Node and an Agent in accordance with a presentinvention. The following text contains a list of scenarios to identifydifferent types of agents. The list is not exhaustive and the currentapplication is not to be considered restricted to the followingscenarios. As an example, if a security association is required toprotect data over the access link between the Mobile Node and the AccessRouter, the Agent can be the Access Router. In the same way, if thenetwork is a Mobile IP (Internet Protocol) based cellular network, andthe Mobile IP Home Agent is dynamically assigned for the Mobile Node,the Agent can be the Home Agent. If the network is in particular aMobile IPv4 based cellular network, the Agent can be the Foreign agent.Again, if the network is a Mobile IP based cellular network, then theMobile Node and the Corresponding Node may also have to set up aSecurity Association in order to implement Mobile IP mechanisms such asroute optimizations. Finally, if a Localized Mobility Management schemesuch as MIPv6RR or HMIPv6 is used, the Mobile Node and the Agents in thevisited domain must share a Security Association.

In FIG. 1, a Mobile Node 100 shares knowledge of the parametersdescribing the Security Associations supported by the Mobile Node andthe Mobile Node preferences regarding selection of the SecurityAssociation parameters with one or more entities in its home domain, inthis case a Home AAA (Authentication, Authorization, and Accounting)Server 120 and/or a Policy Server 130.

The parameters describing the Security Associations types that theMobile Node supports and that are shared by the Mobile Node 100 and theHome AAA Server 120 and/or Policy Server 130 may include but are notlimited to: what security algorithms, such as encryption, integrityprotection, authentication and key derivation algorithms, are to be usedfor communications over the wireless interface; how these algorithms areto be used and in what cases; what keys are to be used with thealgorithms; how additional keys to be used in the Security Associationare to be derived; the lifetime of the Security Association and of thekeys established in the Security Association.

As noted in FIG. 1, a Mobile Node 100 sends its identity and indicationsof the Security Associations it needs to establish with a network entityvia a connection that may include a wireless link to an Agent 110. Thenetwork entity, in this case the Agent 110, then contacts an entity inthe Mobile Node's home domain, in this case a Home AAA (Authentication,Authorization, and Accounting) Server 120. The Agent 110 sends theidentity of the Mobile Node and, optionally, its own security policiesand capabilities to the Home AM Server 120. That is, the Agent 110informs the Server 120 that a security association between the agent andthe Mobile Node identified by the identity is requested The Agent 110may also send to the Server 120 a list of proposals of parameters of theSecurity Associations it prefers to use with the Mobile Node 100.

Thus, rather than the Mobile Node 100 conducting the negotiations neededfor the establishment of the required Security Associations with theAgent 110, the Agent 110 conducts negotiations with the Server 120. Inthe home domain of the Mobile Node 110, the capabilities of the MobilityAgent 110 are compared with those of the Mobile Node 100 by the Server120 or by the Server 130. The Server 120 or the Server 130 acts as aproxy for the Mobile Node by conducting the negotiations with the Agent110 and making a decision on the parameters of the Security Associationaccording to the Mobile Node preferences. Several messages may beexchanged between the Mobility Agent 110 and the Server 120 or Server130 prior to the final decision.

The Agent 110 then passes the choice/decision of the Server 120, thatis, the parameters describing the selected Security Association, to theMobile Node 100.

Note that the details of the various parameters transferred duringnegotiations between the Agent 110 and the Server 120 have not beendiscussed in detail since they are clearly defined in various industrygroups standards. For example, the IETF (Internet Engineering TaskForce), which publishes numerous industry standards on its Internet siteat www.ietf.org, has published Internet Security Association and KeyManagement Protocol (rfc 2408) and the Internet Key Exchange (rfc 2409)which are relevant to the above noted negotiations. They have alsopublished numerous AAA standards, such as AAA Solutions, Criteria forEvaluating an AAA Protocols for Network Access, and Authentication,Authorization, and Accounting: Protocol Evaluation. All of thesestandards are incorporated herein by reference in their entirety.

Furthermore, while present day cellular networks authenticate a userbased on symmetric key mechanisms, future cellular networks will alsohave the option to use Public Key authentication mechanisms and for thekey distribution, many mechanisms, such as the Diffie Hellman procedure,will become possible. Accordingly, in accordance with the technique ofthe present invention, after the Mobile Node sends its identity to thenetwork entity, such as the Agent, the Agent can communicate with thehome domain, that is, the Home AAA Server, and learn from the Home AAAServer what parameters describing a Security Association the Mobile Nodesupports. Thus, the technique in accordance with the present inventionoffers is the possibility of many types of Security Associations.

FIG. 2 illustrates an example of an environment in which the techniquein accordance with the present invention may be used. As illustrated inFIG. 2, a mobile terminal (Mobile Node) 200 is connected via a wirelessinterface to an Agent 210 of a Visited Network 220 which is connected toa Visited Gateway (GW) 230 connected to a Home Gateway 240 of a HomeNetwork 250. A Subscriber database/Authentication Center 260 is disposedwithin the Home Network 250 and is connected to the Home GW 240.

It is assumed that there is a pre-established Security Associationbetween the Visited GW 230, which can be the Visited AAA Server, and theAgent 210. This Security Association may, for example, be set up offlinethrough manual key entry, Internet Key Exchange Protocol or a KeyDistribution Server specific to the Visited Network 220. This providessecurity internally to the network so that the operator can choose thelevel and type of security to be implemented in its network.

Similarly, there is another pre-established Security Association betweenthe Subscriber database/Authentication Center 260 and the Home GW 240.This Security Association may be established in the same fashion as thatnoted above and also serves to provide security internally to thenetwork.

Furthermore, there is still another pre-established Security Associationbetween the Home GW 240 and the Visited GW 230. This SecurityAssociation may be established offline through a roaming agreement orvia an automatic protocol according to industry standards.

The Mobile Node 200 and the Subscriber database/Authentication Center260 may share a long-term key Ki, common knowledge of a securityfunction F1 for derivation of an integrity key, common knowledge of asecurity function F2 for derivation of a ciphering key, and commonknowledge of a MAC function for integrity protection of data. Other keysand knowledge of algorithms may be shared by the Mobile Node 200 and theSubscriber database/Authentication Center 260.

FIG. 3 illustrates an example of a negotiation to establish a SecurityAssociation in accordance with the present invention in the environmentof FIG. 2. Referring to FIG. 3, the Mobile Node 200 generates a randomvalue, RAND1 and uses it as an input with the key Ki for two differentfunctions F1 and F2 and shares it with its Home Network 250 to derive atemporal integrity key IK and a temporal ciphering key CK. That is, F1(Ki, RAND1)=IK and F2 (Ki, RAND2)=CK. The Mobile Node 200 sends itsidentity through its NAI, for example, to the Agent 210 with the RAND1and a MAC for integrity protection using the IK. The Mobile Node 200 mayalso protect part of the message using CK encrypt it.

Since the message is a request for a Security Association to be set upbetween the Agent 210 and the Mobile Node 200 which belongs to anothernetwork, the Agent 210 forwards the message to the Visited GW 230 andmay include the parameters describing the Security Associations that theAgent 230 supports. In addition, the Agent 230 may also include in themessage a list of proposals of parameters of the Security Associationsit prefers to use with the Mobile Node 200.

The Agent 210 can determine that the Mobile Node 200 belongs to anothernetwork by analyzing the realm part of the NAI, for example. Thismessage is secured due to the Security Association between the Agent 210and the Visited GW 230.

The Visited GW 230 then transmits this request to the Home GW 240 of theMobile Node 200 due to the realm part of the NAI, for example, and thismessage is protected by the Security Association established between theVisited GW 230 and the Home GW 240.

The Home GW 240 then forwards the message to the Subscriberdatabase/Authentication Center 260. The message is protected using theappropriate Security Association established therebetween.

The Subscriber database/Authentication Center 260 then retrieves the Kibased on the NAI and using the RAND1, derives CK and IK. It thenverifies the correctness of the MAC using IK and if it succeeds, theSubscriber database/Authentication Center 260, on behalf of the MobileNode 200, starts the negotiations of the different parameters of aSecurity Association with the Agent 210. These message exchanges areprotected due to the various established Security Associations betweenthe Agent 210 and the Visited GW 230 and between the Visited GW 230 andthe Home GW 240, etc.

The Subscriber database/Authentication Center 260 will determine, from adatabase, which Security Association parameters are to be used, based onthe parameters for Security Associations that the Mobile Node 200supports.

Note that there may be several round-trip message exchanges in thenegotiation, which may occur before there it is agreement with respectto all of the different parameters. Any agreed-upon industry standardprotocol may be used for the Security Association.

Once the Subscriber database/Authentication Center 260 and the Agent 210have agreed on the different parameters describing the SecurityAssociation to be used with the Mobile Node 200, the Subscriberdatabase/Authentication Center 260 will send the parameters to the Agent210 utilizing the previously established Security Associations toprotect and authenticate them and will also inform the Mobile Node 200using CK and IK to secure the parameters. The Mobile Node 200 and itsHome GW 240 can use flags or some data fields to carry data. However, nostandardization thereof may be required since the data is being sentfrom the Mobile Node 200 to its Home GW 240. The Subscriberdatabase/Authentication Center 260 may also generate another randomvalue RAND2 and send it to the Mobile Node 200 using the random valueRAND1.

The Mobile Node 200 may use both CK and IK to decrypt/authenticate themessage received from its Home GW 240 and set up the SecurityAssociation according to the contents of the message.

FIG. 4 illustrates another example of a negotiation to establish aSecurity Association in accordance with the present invention. In theexample shown in FIG. 3, the Subscriber Database and AuthenticationServer 260 is aware of the keys used by the Mobile Node 200, which maynot be acceptable in certain cases. That is, the Mobile Node 200 may notwant anyone other than the entity that it is communicating with to knowthe keys that are being used. As shown in FIG. 4, it is possible for theServer 220 or the Server 230 acting as a proxy on behalf of the MobileNode 200 to negotiate the value of the parameters of the SecurityAssociation to be used between the Mobile Node 200 and the Agent 210without the Server 220 or the Server 230 knowing the value of the keys.For example, after the Agent 210 provides during the negotiation itsDiffie Hellman public value to the Server 220 or the Server 230, thelatter may send the public Diffie Hellman value of the Agent 210 to theMobile Node 200.Since the Server 220 or the Server 230 does not know theMobile Node 200 private Diffie Hellman value, it cannot determine thefinal value of the parameters of the Security Association. That is, theHome Network 250 is used to negotiate the different parameters of theSecurity Association and exchange the Diffie Hellman value in anauthenticated fashion but since the Server 220 or the Server 230 doesnot know the Mobile Node's private value, it cannot derive the finalkeys.

This concludes the description of the example embodiments. Although thepresent invention has been described with reference to a number ofillustrative embodiments thereof, it should be understood that numerousother modifications and embodiments can be devised by those skilled inthe art that will fall within the spirit and scope of the principles ofthis invention. More particularly, reasonable variations andmodifications are possible in the component parts and/or arrangements ofthe subject combination arrangement within the scope of the foregoingdisclosure, the drawings, and the appended claims without departing fromthe spirit of this invention. In addition to variations andmodifications in the component parts and/or arrangements, alternativeuses will also be apparent to those skilled in the art.

1. A security association establishment negotiation method comprising:forwarding identifying information and a request for a securityassociation from a mobile node via a first interface to a first networkelement; forwarding the identifying information and the request for asecurity association from the first network element to a second networkelement via a second interface; performing negotiations between thefirst network element and the second network element via the secondinterface to establish a security association between the mobile nodeand the first network element, the second network element utilizingpreviously stored security association parameters of the mobile node;and upon agreement between the first network element and the secondnetwork element with regard to the security association parameters, thefirst network element forwarding the agreed-upon security associationparameters negotiated between the first network element and the secondnetwork element to the mobile node via the first interface.
 2. Themethod of claim 1, wherein performing negotiations between the firstnetwork element and the second network element via the second interfaceincludes exchanging parameters for the establishment of the securityassociation.
 3. The method of claim 2, wherein the first interfacecomprises a wireless interface to forward information between the mobilenode and the first network element.
 4. The method of claim 2, whereinthe first network element is connected to a first gateway.
 5. The methodof claim 4, wherein the first gateway comprises an authentication,authorization, and accounting (AAA) server.
 6. The method of claim 1,wherein the second network element comprises a subscriber database andan authentication center.
 7. The method of claim 6, wherein the secondnetwork element further comprises a second gateway connected to thesubscriber database and authentication center.
 8. The method of claim 7,wherein the second gateway comprises an authentication, authorization,and accounting (AAA) server.
 9. A security association establishmentnegotiation apparatus for a mobile node, the apparatus comprising: afirst interface connected to a first network element to forwardidentifying information and the request for a security association fromthe mobile node to the first network element; and a second interfaceconnected between the first network element and a second networkelement, configured to forward the identifying information and therequest for a security association from the first network element to thesecond network element, the first network element performingnegotiations between the first network element and the second networkelement to establish a security association between the mobile node andthe first network element utilizing security association parameters ofthe mobile node previously stored in the second network element;wherein, upon agreement between the first network element and the secondnetwork element with regard to the security association parameters, thefirst network element forwarding the agreed-upon security associationparameters negotiated between the first network element and the secondnetwork element to the mobile node via the first interface.
 10. Theapparatus of claim 9, wherein performing negotiations between the firstnetwork element and the second network element via the second interfaceincludes exchanging parameters for the establishment of the securityassociation.
 11. The apparatus of claim 10, wherein the first interfacecomprises a wireless interface to forward information between the mobilenode and the first network element.
 12. The apparatus of claim 11,wherein the first network element is connected to a first gateway. 13.The apparatus of claim 12, wherein the first gateway comprises anauthentication, authorization, and accounting (AAA) server.
 14. Theapparatus of claim 10, wherein the second network element comprises asubscriber database and an authentication center.
 15. The apparatus ofclaim 14, wherein the second network element further comprises a secondgateway connected to the subscriber database and authentication center.16. The apparatus of claim 15, wherein the second gateway comprises anauthentication, authorization, and accounting (AAA) server.